#openclaw#security#open-source#gateway#hackmyagent#opena2a

Securing OpenClaw: 6 Security Fixes Landed in Main for the Fastest-Growing Open-Source Project in GitHub History

OpenA2A Team
8 min read

TL;DR: We contributed 6 security fixes to OpenClaw (205K+ GitHub stars, fastest project to reach 100K stars in GitHub history). 4 PRs were merged directly, 2 were adopted by maintainers into shared upstream modules. Fixes cover credential redaction, code safety scanning, path traversal, file permissions, timing side-channels, and npm lifecycle script attacks.

What We Fixed

Over the past several weeks, we submitted 6 pull requests to the OpenClaw repository targeting distinct vulnerability classes across the gateway, plugin system, and credential management layers. Here is the full breakdown.

PR #9806 — Skill/Plugin Code Safety Scanner

Merged directly into openclaw/openclaw

Zero-dependency static analysis scanner that detects command injection, eval abuse, data exfiltration, obfuscated code, crypto mining, and environment variable harvesting in skills before they execute. Runs automatically at install and update time.

16
files changed
+1,721
additions
-94
deletions

Cherry-picked by 10+ downstream forks.

PR #9858 — Credential Redaction in config.get Gateway Responses

Merged directly into openclaw/openclaw

The config.get WebSocket method was returning all channel credentials in plaintext to any connected client. Built a redaction layer covering 10+ channels including Telegram, Discord, Slack, WhatsApp, and others. Added 15 test cases validating redaction across all credential types.

7
files changed
+669
additions
-12
deletions

PR #10525 — TOCTOU Path Traversal Fix in A2UI File Serving

Merged directly into openclaw/openclaw

The A2UI file serving endpoint used a two-step lstat + realpath check that was vulnerable to time-of-check/time-of-use (TOCTOU) race conditions. An attacker could swap a symlink between the check and the read to traverse outside the served directory. Replaced with atomic openFileWithinRoot to eliminate the race window entirely.

3
files changed
+126
additions
-36
deletions

PR #10529 — World-Readable WhatsApp Credentials

Merged directly into openclaw/openclaw

The WhatsApp channel adapter was writing creds.json with default 0644 permissions, making credentials readable by any user on the system. Added chmodSync 0o600 to all 3 write paths to restrict access to the file owner only.

3
files changed
+16
additions
-0
deletions

PR #10527 — Timing Side-Channel in Hook Token Authentication

Adopted by maintainers into shared safeEqualSecret module

Hook token authentication used standard string comparison (===), which leaks token length and character values through timing differences. Proposed replacing with crypto.timingSafeEqual. The maintainers agreed with the fix and adopted it into a shared safeEqualSecret utility module, applying the constant-time comparison across all authentication paths.

Upstream adoption: The maintainers generalized our fix into a reusable module applied project-wide, extending the protection beyond the original hook authentication path.

PR #10528 — npm Lifecycle Script Attacks During Plugin/Hook Installation

Adopted by maintainers into shared installPackageDir utility

Plugin and hook installation ran npm install without the --ignore-scripts flag, allowing malicious packages to execute arbitrary code during install via preinstall/postinstall lifecycle scripts. The maintainers adopted this fix into a shared installPackageDir utility, ensuring all npm install invocations across the project now use --ignore-scripts by default.

Upstream adoption: The maintainers centralized all npm install calls through a single utility with --ignore-scripts enforced, eliminating this attack vector across the entire codebase.

Impact

205K+
GitHub stars on OpenClaw
+2,532
lines of security code contributed
6
vulnerabilities fixed
10+
downstream forks cherry-picked the scanner
34+
test cases added across all PRs

Why This Matters

These contributions come from the security research behind OpenA2A and the Agent Identity Management (AIM) platform. When we study how AI agents authenticate, communicate, and manage credentials, we find real vulnerabilities in real systems.

OpenClaw — with its plugin ecosystem, multi-channel architecture, and gateway protocol — is exactly the kind of agent infrastructure that needs hardening. It serves as the communication backbone for thousands of AI agent deployments, connecting them to Telegram, Discord, Slack, WhatsApp, and other channels through a WebSocket-based gateway.

Every vulnerability class we addressed maps to a real-world attack scenario:

Credential redaction — prevents any WebSocket client from harvesting channel API tokens
Code safety scanning — blocks malicious skills before they can execute on the host
Path traversal — eliminates filesystem escape from the A2UI serving layer
File permissions and timing attacks — hardens credential storage and authentication at the OS level
npm lifecycle attacks — prevents arbitrary code execution during plugin installation

Every vulnerability we find and fix in open-source projects makes the entire agent ecosystem safer. That is the core of what OpenA2A does — security research that ships as production fixes, not just reports.

Scan Your OpenClaw Installation

34 OpenClaw-specific security checks. Auto-remediation. Open source.

npx hackmyagent secure-openclaw
npx hackmyagent secure-openclawView on GitHub

Related Reading

OpenClaw Merges Built-In Skill Security Scanner
PR #9806 adds 1,721 lines of code safety scanning
341 Malicious Skills and a 1-Click RCE
Scanning OpenClaw installations for ClawHavoc
The State of AI Agent Security
97,000 hosts scanned, 1,190 exposed configs
HackMyAgent.com
Security toolkit for AI agents and MCP servers